executive

insights

Traits of Highly Successful

Security Organizations
Stephen Schmidt, CISO, Amazon Web Services
executive
insights

SECRETS OF THEIR SUCCESS

The democratization of security

It’s no secret that the responsibilities of security and risk management
executives, like CISOs, CSOs, and CTOs, are dramatically expanding.

Not only are we accountable for being preemptive and vigilant against
security threats and safeguarding business networks, we’re now rapidly The three key traits of highly successful
evolving to become stewards of our organization’s brand, strengthening
its reputation while also building board credibility and customer trust. security organizations:
In my more than 12 years as CISO of Amazon Web Services, partnering
with numerous AWS customers in their cloud and security journeys, 1 They are forward-leaning with audit and legal.
I’ve come to recognize some standout organizations that are taking on
this transformation remarkably well. I’ve also been able to see firsthand
how they’re doing it.
2 They leverage automation.
What do we mean by successful security organizations? These are
companies that are improving their risk posture at a more efficient rate
than others, while, at the same time, optimizing their use of cloud to
create new forms of business value at a faster pace. 3 They practice agile decision making.
TRAIT #1

They are forward-leaning

with audit and legal
Working closely with legal and compliance professionals, audit partners,
and regulators is perhaps the most critical of the three traits. Just like
security professionals, these individuals are tasked with safeguarding
their organizations, so they need to be engaged early and often.
Security organizations that are able to rapidly adopt the cloud recognize
that legal, audit, and compliance stakeholders can become strong allies.
executive
insights

Communicate early and often

Successful security organizations proactively communicate and prioritize
alignment with legal, audit, and compliance professionals. This seems obvious,
but quite often we see organizations establish their internal control systems
and get momentum going only to stumble because they haven’t properly
aligned with the right teams along the way. It’s not always easy to overcome
the traditional way of operating, which for some organizations was to enlist The AWS Auditor Learning Path
stakeholders in the middle or near the end of a given process. As security can help auditors, compliance
leaders, we don’t want to see security “bolted on” to a product after it has professionals, and legal
been built. In the same way, we should integrate the necessary steps into professionals learn how to
our security processes to proactively ensure adherence to legal, audit, and demonstrate compliance using AWS.
compliance requirements. One of the things we do on a regular basis at AWS
is engage with our customers and their internal auditors early on, so they can
teach their stakeholders how to audit successfully in the cloud. We do that by
providing guidance and tooling, and running “game day” mock audit exercises.

Clarify where to go for approval

We’ve noticed that the security organizations that adopt
cloud the fastest establish clarity in the security approval
process. For example, many companies will whitelist
which services employees are allowed to use with
sensitive data. As a cloud provider, AWS is continually
updating our existing services or rolling out new ones.
Our fastest-moving customers have an established
process of communicating out these changes to their
stakeholder teams. These customers broadly share
internal documentation that clearly lists what services
are allowed, what services can handle restricted data,
and what services can handle unrestricted data. Security
leaders who socialize their approval processes throughout
their organization create clarity and velocity.
executive
insights

Understand shared responsibility

Security and compliance is a shared responsibility
between AWS and the customer. Highly successful
security organizations are proactive about gaining
clarity on what they must take on themselves, what Security IN Customer responsibility will be
the cloud determined by the AWS Cloud
AWS can do for them, and what we both work on services that a customer selects.
together. They work closely with their audit, legal,
and compliance teams—as well as with AWS— Security OF AWS is responsible for
to ensure that they are compliant at the earliest the cloud protecting the infrastructure
that runs all of the services
stages of a product or service launch by gaining offered in the AWS Cloud.
Customer
a deep understanding of inherited, shared, and AWS

customer-specific controls.

Forward-leaning with audit and legal:

Christoph Strizik, CISO, Origin Energy
If you were to ask Christoph Strizik, CISO of Australia-based
Origin Energy, what’s the most effective way for security to align
with audit and legal departments, his initial response might
be, “Location, location, location.” For the first several months
at Origin, Christoph was physically separated from risk and
compliance stakeholders. Recognizing that they were key to
the success of security, he colocated himself to be right next to
them. Over the next six months, he built relationships with them,
studied how they worked, and identified gaps in the security
and compliance process. Christoph knew that by embracing
AWS and cloud, an enormous amount of new data could provide
game-changing visibility for audit and legal.
Armed with these insights, Christoph spun into action, proactively
setting up regular meetings, building rapport, and becoming
a trusted advisor and partner over time. Because Origin is an
integrated company where both security and compliance run across
all business groups, they can be a united front when providing
information to the greater organization. As a result of this strong
alignment, audits are much smoother when they do happen—
Origin can easily provide a shared dashboard of compliance against
security. Christoph believes they have learned a great deal from AWS
when it comes to continuous compliance practices. AWS provides
on-demand access to their compliance dashboards so organizations
like Origin can learn how to balance their shared responsibility.
TR AIT #2

They leverage
automation
With so much changing all the time, security must
work hard to keep up with the evolution of software
engineering practices. In highly successful security
organizations, terms like “automation,” “backlog,”
“CI/CD,” and “Agile” are becoming commonplace in the
security lexicon. In fact, Agile, DevOps, and CI/CD are
fundamental practices for most security professionals.
executive
insights

Security as code
The most successful security leaders and organizations Automatically create tickets and escalate alerts to
understand that security is not something to be bolted ensure consistent and timely action.
on after building something—it should be deeply
integrated with the development process itself. If done Generate IAM policies automatically to help reduce
well, it accelerates development and aligns security the risk of human error.
practices with the realities of the development lifecycle.
Automate and centralize log management.
Customers who have embraced cloud adoption have
Leverage services and code to automate your threat
automated their security operations tasks as code in
detection and response capabilities.
addition to the software they’re developing. A great
example of this is the practice of pushing out firewall
Committing code to a repository and having it go through a
rule changes. It’s not about logging into a device
pipeline for deployment means that no access to production
anymore; it’s about leveraging software as code to
systems is needed, which measurably reduces security
enable a continuous build system to test those changes
risks. Also, every action is logged—from the developer
and push them out in near real time.
committing the code, to the manager doing the approval,
Automating security tasks can change how an entire to the build systems releasing the code to production—
security team operates. Here are some examples of there is a record of every action that was taken.
ways to automate security functions:

Cultivate relationships with software engineering

To adapt to all the change happening in the enterprise landscape today, our cutting-edge security customers are
looking more and more like engineering organizations. They’re hiring developers into SecOps so they can automate
more, freeing security engineers to focus on tasks that require a high degree of judgment.

More successful CISOs are collaborating with their engineering teams to build guardrails instead of gates, which
allows their dev teams and business units to take more accountability and responsibility for security. It‘s not about
giving up control; it‘s about encouraging other teams to be owners so they feel invested.

At AWS, for example, if service teams have a question about security, or if something isn‘t going right in the software
testing process, the security team is available to provide guidance and partner with the service organization. But the
onus is on the service owner to bring the issue to resolution.
executive
insights

Continuous improvement
The leading security organizations make continuous improvement a
priority by continually collecting feedback and creating a closed loop
to drive improvement based on that information. This is true whether
it’s immediate feedback to a developer writing code or feedback to the
application security engineer on the effectiveness of their engagement.

Over time, we’ve evolved the ways in which we use feedback loops
within AWS security, and have observed many leading security
organizations operationalizing best practices, such as:

Partner with the business to design, build, and deliver—securely.

Launch robust and reliable services, while protecting customers

and the business.

Support product launch timelines.

Create a culture of security that goes beyond service delivery.

As an example, “Launch robust and reliable services, while protecting all

users and consumers” is highly intentional. Our teams know that we have
to continue to launch services. Security cannot be a blocker. Quite the
opposite, security strives to act as an accelerant for the business. Through
a robust feedback loop, our services can launch quickly and continuously,
but our teams never lose sight of security throughout the process.
executive Balanced hiring
insights

What we’ve learned from many of our

customers is that it’s important to hire people
with the right qualities, not just the right
Customer satisfaction at scale technical skillset. We achieve balance by
investing in people who are curious and who
With thousands of features launched in just the last couple of years, people often know how to partner effectively, but also by
ask how we execute application security (AppSec) at AWS. Every one of these major being deliberate about seeking out diversity
features or services has to undergo an application security review, which includes and looking for talent where we might not
deep inspection of the code and penetration testing. This protects our customers normally look, like among veterans or people
and improves our programs. without a security degree, as examples.

For instance, cryptography is complex, and it’s not scalable to hire cryptographers
for every team. Therefore, when someone in the organization wants to make a Here are some of the characteristics our
change to cryptographic code, we make sure the person requesting the changes customers tell us they look for when building
has the right training. And we maintain a set of peer reviewers with exceptional best-in-class security teams:
crypto capabilities, who can ensure the change is implemented correctly. Deep understanding of our services
and internal systems
Another mechanism we employ a lot at AWS is what we call “How’s my driving?”
surveys. The idea is very similar to how we follow up on customer service experiences Offers actionable solutions to service team’s
on Amazon.com—essentially asking, “Did we solve your problem, yes or no?” Our security questions
teams take this same approach with our internal customers when we conduct our
Innovates with our service teams and
AppSec reviews. Any “okay” or “poor” responses prompt a conversation during our
contributes to their roadmap
AppSec weekly business review. What went wrong? How will we improve it? Viewing
your internal business partners as your customer, and working backwards from their Relentlessly curious
requirements, is what enables us to deliver application security at scale. Penchant for automation

Cultivating deep relationships with software engineering:

Brian Lozada, CISO, HBO Max
Brian Lozada is a seasoned security professional with a
diverse career that includes Accenture, Sony, and Condé
Nast. He’s also been a long-time AWS customer. In that time,
he’s learned that when it comes to security, “You catch more
bees with honey.” He rarely says no to software engineering
colleagues. On the contrary, when he joins a new organization,
he introduces an internal security “brand,” complete with logo.
His goal is to make security immediately approachable so that
developers and engineers recognize Brian and his teams as
partners rather than obstacles. Brian works so closely with them
that he offers regular education through secure code training and
security “pods,” which cycle software engineering professionals in
and out of high-level initiatives. A regular attendee and presenter
at AWS re:Invent, what he’s learned from working with AWS
over the years is to empower security practitioners to be creative
and proactive, dig into the data science, and most importantly,
to make security a customer service organization—because
everyone is a customer of security.
TR AIT #3

They practice agile

decision making
Enterprises used to build processes around technology acquisitions
that assumed a capital procurement model and a great deal of
hardware, software, and partners. Decisions just took longer
on-premises as a result of the complexity involved in managing
and integrating all the hardware, software, and partner solutions.
For security, this translated to a longer runway to strategize around
implementation. But in a world of cloud services, strategies can be
deployed in minutes. This means risk and security decisions need
to be made quickly or we risk disrupting the business.
executive
insights
Encourage escalation
Something doesn’t look or feel right. There’s a question or
confusion about something. The message from the most
successful security organizations comes in two words:
“Escalate early.” Anyone who’s used a compass knows that it’s
much easier to course correct earlier on in the journey.
It’s better to get together with the right data and decision
makers than to be paralyzed by analysis. What we’ve learned
at AWS is that the magic amount of necessary information
for good decision making is around 80 percent. If you try to
wait until you have all of the data, it will already be too late.
And that style of hesitation is particularly unsuited for the
speedy world of security.
Also, key information surrounding an escalation is best
served unfiltered. Deferring to expertise rather than
authority and hierarchy gets everyone the data they need
in order to make faster—and still well-informed—decisions.
If there is someone between a leader and an expert,
you stand to lose clarity or dilute the problem, and you
can bet that senior leadership will have questions that
require exact answers. At the end of the day, everyone
who owns a product should feel accountable. Deep
understanding comes from having a deep sense of
liability and ownership, and leads to quickly identifying
root causes when things go wrong.
We’ve seen some security organizations encourage
“escalation buddies.” When a key practitioner goes on
vacation or gets sick, the buddy is there and up to speed
should something go wrong, is experienced in the space,
and is empowered to escalate at the right time.
executive
insights

Senior leaders discuss security quickly and often

Security operates well when not siloed or relegated to a cost center. In fact, senior leadership investment and participation
is a key quality in highly successful security organizations. These organizations and leaders understand well that security is
everyone’s top priority, all of the time. Leaders from across these organizations—across all lines of business and including
the CEO—are deeply curious about security, and encourage regular and frequent meetings, updates, and check-ins. At AWS,
our security engineers have daily standups, standard in the DevOps and Agile development world. For example, our CEO
is deeply engaged with the security team and joins our leadership every week to review and discuss key security metrics.
It’s understood that security is a key enabler of the business.

Seek two-way doors

Practicing agile decision making:
Emilio Escobar, VP & Head of Information
Security, Hulu
As a celebrated entertainment provider that serves millions of viewers
through thousands of pieces of video content—and a live TV offering—
things move fast at Hulu, and decisions need to be made quickly. For
Emilio Escobar, in order to enable his teams to be creative while remaining
secure, it’s about building the right guardrails into the process from the
beginning. That way, decisions can be made within certain parameters by
the team members themselves to avoid bottlenecks; they then present
their ideas and plans on a biweekly basis. This system promotes a sense of
creative freedom, as well as a profound sense of pride. Also, to keep the
cadence high around decisions, Emilio meets with his directs every week,
as well as his executive peers. In the times in between, they are active and
vocal in their collaboration tools.
Finally, Emilio believes there can be no fear in escalating any potential
issues if everyone has a sense of solving the same problems. They’re
always seeking to find the right balance between security and velocity,
which requires a certain measure of transparency and visibility. Emilio and
his teams have a close working relationship with AWS—Emilio himself is
active at AWS conferences and participates in the CISO council to help
drive AWS security products. Working with AWS has ratified his thinking
about the importance of closely embedding security within engineering.
At AWS, we think of decisions as doorways. A one-way
door is a decision that results in something difficult or
impossible to change once we’ve gone through it.
And if we don’t like what we see on the other side, it’s
really hard and often expensive to get back. In contrast,
with two-way doors, we can walk through and see
what we find. If we don’t like it, we can walk back
through the door, effectively reversing the decision.
Successful security organizations do everything in their
power to avoid one-way doors and seek out two-way
doors. It’s about keeping any changes to security small
and frequent in order to iterate rapidly along the way.
Iteration is the key to success rather than perfection.
Trying to be perfect out of the gate prevents us from
ever getting out of the gate.
At AWS, one of our leadership principles is, “Bias for
action.” It states that speed matters in business
(and, in this case, security), so decisions and actions
should be reversible, and not require extensive study.
We find that risk taking in security can be healthy,
if it is calculated.
executive
insights
CONCLUSION
As we’ve seen, while there’s no specific formula, there
are recurring traits that make some security organizations
particularly successful:
1) They work closely—and proactively—with legal and
compliance professionals, audit partners, and regulators.
2) They are deliberate in keeping up with the increasingly
rapid evolution of software engineering practices.
3) They make fast but informed risk and security decisions
to ensure that business runs smoothly.
It’s true that many companies are proficient in one or
two of these areas. The secret of the most successful
security organizations is that they recognize they
must maintain all three of these standards. They also
recognize that these standards are not standalone—
they must be operating in unison in order to achieve
the highest levels of success.
As I continue to walk with our customers through their
often-challenging security journeys—each one a unique
experience—I’m constantly impressed with their
determination and resourcefulness. It proves that,
even after over a decade in this role, they’re still teaching
me new things, and I very much appreciate it.
Related content

Cultivating Security Leadership

Read how enterprise CISOs are investing in
their people to safeguard their organizations.

Creating a Culture of Security

AWS Security and Compliance Quick Reference Guide

Learn how to achieve savings and scalability
while maintaining robust compliance.

AWS Well-Architected
A framework for achieving operational excellence,
security, reliability, performance efficiency, and cost
optimization with AWS.

AWS re:Invent 2019 Security Leadership Session

Stephen Schmidt shares his perspective on the
current state of cloud security.

Innovative leaders share how

they drive business growth
and transformation.
Learn more
executive
insights

Stephen E. Schmidt, Vice President & Chief Information Security Officer, Amazon Web Services
@stephenschmidt

Stephen Schmidt’s duties at AWS include leading product design, management, and engineering
development efforts focused on bringing the competitive, economic, and security benefits of cloud
computing to business and government customers.

Prior to joining AWS, Stephen had an extensive career at the Federal Bureau of Investigation, where he
served as a senior executive. His responsibilities at the FBI included a term as Acting Chief Technology
Officer, Section Chief, responsible for the FBI’s technical collection and analysis platforms, and as a
Section Chief overseeing the FBI’s Cyber Division components responsible for the technical analysis of
computer and network intrusion activities. His Cyber Division oversight included areas of malicious code
analysis, computer exploitation tool reverse-engineering, and technical analysis of computer intrusions.

Read more insights

from AWS leaders